duologsync (DLS) is a utility written by Duo Security that supports fetching logs from Duo endpoints and ingesting them to different SIEMs.
duologsync requires credentials for an Admin API application with the "Grant read log" API permission. Create this application before installation and configuration.
To create the Admin API application:
- Log into the Duo Admin Panel as an administrator with the "Owner" role and navigate to Applications.
- Click Protect an Application and locate the entry for Admin API in the applications list.
- Click Protect to the far-right to configure the application and get your integration key, secret key, and API hostname. You'll need this information to update the
config.ymlfile later. - Scroll down to the "Permissions" section of the page and deselect all permission options other than Grant read log.
- Optionally specify which IP addresses or ranges are allowed to use this Admin API application in Networks for API Access. If you do not specify any IP addresses or ranges, this Admin API application may be accessed from any network.
- Click Save.
MSP customers gathering logs from linked accounts should create an Accounts API Duo application and use that application's information in the config.yml file.
- Make sure you are running Python 3+ with
python --version. - Clone this GitHub repository and navigate to the
duo_log_syncfolder. - Ensure you have "setuptools" by running
pip3 install setuptools. - Install
duologsyncby runningpython/python3 setup.py install. - Refer to the
Configurationsection below. You will need to create aconfig.ymlfile and fill out credentials for the adminapi in the duoclient section as well as other parameters if necessary. - Run the application using
duologsync <complete/path/to/config.yml>. - If a new version of DLS is downloaded from GitHub, run the setup command again to reinstall
duologsyncfor changes to take effect.
- Duologsync is compatible with Python versions
3.6,3.7, and3.8. - Duologsync is officially supported on Linux, MacOS, and Windows systems.
- On Windows operating systems,
duologsyncis installed in the\scripts\folder under the Python installation in most cases.
- A logging filepath can be specified in
config.yml. By default, logs will be stored under the/tmpfolder with nameduologsync.log. - These logs are only application/system logs, and not the actual logs retrieved from Duo endpoints.
- Current version supports fetching logs from auth, telephony, admin, and trust monitor endpoints and sending over TCP, TCP Encrypted over SSL, and UDP to consuming systems.
- Ability to recover data by reading from last known offset through checkpointing files.
- Enabling only certain endpoints through config file.
- Choosing how logs are formatted (JSON, CEF).
- Support for Linux, MacOS, Windows.
- Support for pulling logs using Accounts API (only for MSP accounts).
- Adding more log endpoints.
- Adding better skey security.
- Adding CEF and MSP support for the Trust Monitor endpoint.
- Duo Log Sync must be run a system set to the UTC/GMT Timezone
- See
template_config.ymlfor an example and for extensive, in-depth config explanation.
- The
log_formatfield is adls_settingssetting and it is for how Duo logs should be formatted before being sent to a server/siem. Valid options are CEF, JSON. The default will be JSON. - The
offsetfield is aapisetting and it is for days in the past from which record retrieval should begin. Maximum logs that can be fetched is180 daysin past. The default is 180. - The
timeoutfield is aapisetting and it is forsecondsto wait between API calls (for fetching Duo logs). If timeout is set to less than 120 seconds, it will be defaulted to 120. - The
enabledfield is acheckpointingsetting and it is for whether checkpoint files should be created to save offset information about API calls which will be used to continue fetching of data if utility crashes or is restarted. Valid options are True or False. - The
directoryfield is acheckpointingsetting is to mention path where checkpoint files will be created. The default is/tmp. - The
proxy_serveris aproxysetting and it is a Host/IP for the Http Proxy. - The
proxy_portis aproxysetting and it is a Port for the Http Proxy. - The
idis aserverssetting and it is a descriptive name for your server. It is aREQUIREDfield. - The
hostnameis aserverssetting and it is a address of TCP/UDP server to which Duo logs will be sent. It is aREQUIREDfield. - The
portis aserverssetting and it is a Port of server to which logs will be sent. The valid port range is 1024-65535. It is aREQUIREDfield. - The
protocolis aserverssetting and it is a transport protocol used to communicate with the server. The allowed options areTCP,TCPSSL,UDP. It is aREQUIREDfield. - The
cert_filepathis aserverssetting and it is a location of the certificate file used for encrypting communication for TCPSSL. TCPSSL expects that there are .key and .cert files that store keys. For configuration, give path of .cert/.pem file that has keys. It is aREQUIREDfield if protocol is TCPSSL. - The
ikeyis aaccountsetting and it is a integration key of theAdmin APIintegration. For MSP accoint, this should have integration key forAccounts API. It is aREQUIREDfield. - The
skeyis aaccountsetting and it is a private key of theAdmin APIintegration. For MSP accoint, this should have private key forAccounts API. It is aREQUIREDfield. - The
hostnameis aaccountsetting and it is a api-hostname of theAdmin APIintegration on which the server hosting this account's logs. For MSP accoint, this should have api-hostname forAccounts API. It is aREQUIREDfield. - The
endpointsfield is aendpoint_server_mappingssetting. It is for defining what endpoints the mapping is for as a list. The valid options areadminaction,auth,telephony,trustmonitor,activity. It is aREQUIREDfield. - The
serverfield is aendpoint_server_mappingssetting. It is where you define to what servers the logs of certain endpoints should go.This is done by creating a mapping (start with dash -).It is aREQUIREDfield. - The
is_mspfield is to define whether this account is a Duo MSP account with child accounts. If True, then all the child accounts will be accessed and logs will be pulled for each child account. It is aNOT REQUIREDfield. The default isFalse
- From time to time new features and fields will be added to the config file. Updating of the config file is mandatory when config changes are made. To make this easier, Duo has created a script called
upgrade_config.pywhich will automatically update your old config for you. - To use the
upgrade_config.pyscript, simply run the following command:python3 upgrade_config.py <old_config> <new_config>where<old_config>is the filepath or your old configuration file, and<new_config>is where you would like the new configuration file to be saved. - The
upgrade_config.pyscript will not delete your old config file, it will be preserved. - This script is a new feature and has to extrapolate some information, some unexpected issues may occur. For most old configs the script will work just fine. You can check if the new config file works by running it with DLS.
- The
is_mspfield under accounts section is required only when using DLS with the Accounts API. For this reason, the upgrade script won't create that field in new config by default.
- Calling Admin API handlers with Accounts API is mutually exclusive with cross-deployment sub-accounts. Many customers with sub-accounts (especially MSPs) must use cross-deployment sub-accounts and therefore can't use the Accounts API.
- Currently, the Trust Monitor endpoint only supports logging in JSON format, and does not support MSPs. Calling this endpoint (in combination with any other endpoints) using CEF format or MSPs will not allow the program to execute.